When the user logs into their Ubuntu 9.10 system with an Encrypted Home Directory, their system password is used to decrypt a strong, randomly generated mount passphrase. This design allows them to change their system password, while eCryptfs simply re-wraps the mount passphrase without needing to re-encrypt all of the home directory contents.

The decrypted mount passphrase is then hashed using SHA-512 (Secure Hashing Algorithm) to generate the fekek and fnek. These two keys are then loaded into the user’s session keyring. The Linux kernel uses the fnek to encrypt and decrypt file and directory names. The kernel then applies the fekek to file headers in order to extract and insert each file’s unique fek. Finally, the kernel uses the fek to encrypt and decrypt file contents. While eCryptfs supports several of the cryptographic ciphers available in the Linux kernel, Ubuntu setups use AES-128 (Advanced Encryption Standard) by default.

The additional CPU time required to handle this encryption and decryption is often less than the obligatory I/O (input/output) latency of modern hard disk and solid state drives. In some performance testing, the impact of Encrypted Private Directories was less than 2% for common workloads. This is generally not noticeable at run time, but might add roughly a second or so to the login process while setting up the encrypted mount point.

Ubuntu 9.10 Desktop Installation

At step 6 of 8 in of the Ubuntu installer dialogue, there will be a new third radio button offering an option to â€œRequire a password to log in and decrypt your home folderâ€.

Ubuntu 9.10 Server and Alternate Installations

In the curses based Ubuntu Server and Alternate installers, an informative prompt will offer home directory encryption to the installing user:

Ubuntu 9.10 Post Installation

It is absolutely critical that users immediately install all Ubuntu security updates following an installation, and keep your system up to date!

It is also essential that the user records their randomly generated mount passphrase. Write it down, print it out, escrow it to a trusted server or service, store in your safety deposit box. This key, rather than your system log in password, is absolutely required if you need to restore your data from backup or migrate your data elsewhere.

On the first boot of a new Ubuntu Desktop installation, the user will be prompted to record their mount passphrase.

On Ubuntu Server installations without a graphical interface, users will need to manually extract and record their mount passphrase using the following command:

ecryptfs-unwrap-passphrase $HOME/wrapped-passphrase

Ubuntu 9.10 Running Systems

New users can be added to running Ubuntu 9.10 systems, with an Encrypted Home Directory, by using the following command:

sudo adduser â€“encrypt-home foo

Ubuntu 9.10 Live Migration to an Encrypted Home Directory

In most cases, it is possible to convert an existing user’s home directory to an Encrypted Home Directory.

To be safe, a complete backup copy of the presently non-encrypted data should first be made to another system or external media. It is possible that the migration process might result in data loss or lock the user out of the system, if things go wrong.

Ensure that there is sufficient disk space available to perform the backup. To make a full copy, aim for a little more than double the current disk usage of the home directory. Assuming the copy and encryption succeeds with complete access to the now encrypted data, you can later recover that space by deleting the backed up unencrypted data.

Check the usage of the home directory via the following commands:

du -sh $HOME
df -h $HOME

These instructions require administrator (sudo) access. Also, any existing $HOME/Private directory must be empty. If there is already some data in the $HOME/Private directory, move all of these files and directories out of the way and then follow the instructions displayed after running:

ecryptfs-setup-private --undo

Exit all desktop sessions. Ensure that there are no other processes on the system reading and/or writing data to that specific home directory. Perform all of the following instructions by logging in as the user through SSH (Secure Shell) or at a TTY terminal (Ctrl-Alt-F1):

ecryptfs-setup-private

Next, log out and log back in to ensure that $HOME/Private is mounted:

exit
login
mount | grep "$USER.*ecryptfs"

The result of that mount command should display the mounted directory. Next, use a tool such as rsync to copy all the data from the home directory to the new Encrypted Private Directory. If the home directory is large, this step might take a long time. Be very wary of any errors at this point. This is the most essential step in these instructions as all data must come across correctly. It is a good idea to re-run this rsync command a few times:

Carefully check all of the home directory data, ensuring that everything is in order. Once you are completely confident that the migration worked, reclaim some disk space by removing the backup of the old, non-encrypted data:

rm -rf $HOME.old

If any of the above steps fail, installing Ubuntu 9.10 from scratch and enabling the Encrypted Home Directory option might be easiest. Then afterwards, simple copy the data from the unencrypted backup into the new user’s home (make sure that the backup is on external media, or if not, then ensure that the partition containing it is not formatted during installation!).

Remote Backups of Encrypted Data

Limitless network data storage is among the prominent features of Cloud Computing services, such as Ubuntu One. Data privacy in the Cloud, however, is a concern of many Cloud customers. eCryptfs provides an interesting advantage to Cloud storage users. Encrypted Home Directory users can conveniently and incrementally synchronize the encrypted contents of their $HOME/.Private directory to remote storage and rest assured that no other user, intruder, or even administrator of the remote Cloud storage can access the decrypted contents.

Comments on "Ubuntu’s Encrypted Home Directory: A Canonical Approach to Data Privacy"

It is usually a statement or two identifying why the project is being created. This is where dating advice tips can come in handy.How to Become Successful: The Four Blueprint Success Questions.Here is my web-site – best weight loss Plan

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.